MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64f63c70e1facb137a1363aec04b2029a56f1552c721f9667156e7371adf8427. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64f63c70e1facb137a1363aec04b2029a56f1552c721f9667156e7371adf8427
SHA3-384 hash: fc5c15f4fadc18503e257c65cff7ecc13394acf624e43314d6374dfafaf9b8ac86cce01b9e83b60ad88e2280491dfd90
SHA1 hash: 3517d7c2b57cf2d53fb0880be593d1511323a60c
MD5 hash: 4942011201ece4f7d3c83182a499a9f2
humanhash: butter-chicken-white-monkey
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:147'456 bytes
First seen:2023-10-02 01:11:36 UTC
Last seen:2023-10-02 07:43:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:DL8AZaMdHJ443/JwxHsxv6uEqI2DmpuqTPLe5L8ctaEMJD:/3kidBD6xqDDhoA4yaX
Threatray 7 similar samples on MalwareBazaar
TLSH T16BE3E060D2F1571DE2D6993D89A0A3C4AA32440B7343EB58DF8CE5B6747CEE785C06A2
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://185.225.74.144/files/Umm2.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
312
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://celema.co/wp-download/zip9.7z
Verdict:
Malicious activity
Analysis date:
2023-10-02 07:11:55 UTC
Tags:
privateloader evasion opendir loader risepro stealer redline stealc fabookie smoke tofsee botnet trojan amadey miner rhadamanthys teamspy remote g0njxa
Link:
https://app.any.run/tasks/435c789d-65c9-4015-a136-ec6b8f719f5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452549/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.17397.10966.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a window
Running batch commands
Blocking the User Account Control
Query of malicious DNS domain
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/651a18e483a0c6425d047af3/reports/95cfed5d-7568-4dc7-a4eb-fa227e0ab232/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/64f63c70e1facb137a1363aec04b2029a56f1552c721f9667156e7371adf8427
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f169143c-a25a-4647-b945-80463dd75428
Result
Threat name:
Amadey, Fabookie, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317672
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Stop multiple services
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1317672 Sample: file.exe Startdate: 02/10/2023 Architecture: WINDOWS Score: 100 162 Multi AV Scanner detection for domain / URL 2->162 164 Found malware configuration 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 19 other signatures 2->168 12 file.exe 2 4 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 4 other processes 2->19 process3 dnsIp4 188 Adds a directory exclusion to Windows Defender 12->188 190 Disables UAC (registry) 12->190 22 ngentask.exe 15 166 12->22         started        27 powershell.exe 21 12->27         started        29 conhost.exe 15->29         started        31 sc.exe 15->31         started        33 sc.exe 15->33         started        41 2 other processes 15->41 35 conhost.exe 17->35         started        37 iQiLBVvjyROZQZuRbzUY2jvq.exe 17->37         started        146 3.98.215.151 AMAZON-02US United States 19->146 39 conhost.exe 19->39         started        signatures5 process6 dnsIp7 152 85.217.144.143 WS171-ASRU Bulgaria 22->152 154 69.49.241.44 UNIFIEDLAYER-AS-1US United States 22->154 156 25 other IPs or domains 22->156 106 C:\Users\...\zzAL1QYsn2XOFDtuqzeZAOYM.exe, PE32 22->106 dropped 108 C:\Users\...\zm2lykCDx9Rc5pZsMHmhZwy6.exe, PE32 22->108 dropped 110 C:\Users\...\zYuglqlFJRoyI6rl2BfxQlbK.exe, PE32 22->110 dropped 112 159 other malicious files 22->112 dropped 178 Drops script or batch files to the startup folder 22->178 180 Writes many files with high entropy 22->180 43 2eygMAK9f1qZE9TTBsoNaM8U.exe 3 22->43         started        47 dvuE0Zr9VdgXPj1H5jrCCfzr.exe 22->47         started        49 qUQH5pUGjq3cP1FzWdNtI2yY.exe 22->49         started        53 9 other processes 22->53 51 conhost.exe 27->51         started        file8 signatures9 process10 dnsIp11 132 C:\Users\user\AppData\Local\...\nhdues.exe, PE32 43->132 dropped 192 Contains functionality to inject code into remote processes 43->192 56 nhdues.exe 43->56         started        134 C:\Users\...\dvuE0Zr9VdgXPj1H5jrCCfzr.tmp, PE32 47->134 dropped 61 dvuE0Zr9VdgXPj1H5jrCCfzr.tmp 47->61         started        136 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 49->136 dropped 138 C:\Windows\System32\drivers\etc\hosts, ASCII 49->138 dropped 194 Modifies the hosts file 49->194 196 Adds a directory exclusion to Windows Defender 49->196 148 154.221.26.108 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 53->148 150 156.236.72.121 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 53->150 140 C:\Users\...\sjn6hbQiAYA0OPUfe3Un8eY1.tmp, PE32 53->140 dropped 142 C:\Users\...\f42e8a68632348c8c785c8989ac1957d, SQLite 53->142 dropped 198 Tries to harvest and steal browser information (history, passwords, etc) 53->198 200 Sample uses process hollowing technique 53->200 63 sjn6hbQiAYA0OPUfe3Un8eY1.tmp 53->63         started        file12 signatures13 process14 dnsIp15 158 193.42.32.29 EENET-ASEE Germany 56->158 114 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 56->114 dropped 116 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 56->116 dropped 118 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 56->118 dropped 120 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 56->120 dropped 182 Multi AV Scanner detection for dropped file 56->182 184 Creates an undocumented autostart registry key 56->184 186 Uses schtasks.exe or at.exe to add and modify task schedules 56->186 65 rundll32.exe 56->65         started        67 cmd.exe 56->67         started        69 schtasks.exe 56->69         started        71 rundll32.exe 56->71         started        122 C:\Users\user\AppData\...\unins000.exe (copy), PE32 61->122 dropped 124 C:\Users\user\AppData\...\is-UL3EJ.tmp, PE32+ 61->124 dropped 126 C:\Users\user\AppData\...\is-8K68P.tmp, PE32 61->126 dropped 130 4 other files (3 malicious) 61->130 dropped 73 _setup64.tmp 61->73         started        75 schtasks.exe 61->75         started        77 schtasks.exe 61->77         started        79 DigitalPulseService.exe 61->79         started        128 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 63->128 dropped file16 signatures17 process18 dnsIp19 82 rundll32.exe 65->82         started        86 conhost.exe 67->86         started        88 cmd.exe 67->88         started        90 cacls.exe 67->90         started        100 4 other processes 67->100 92 conhost.exe 69->92         started        94 conhost.exe 73->94         started        96 conhost.exe 75->96         started        98 conhost.exe 77->98         started        160 3.98.219.138 AMAZON-02US United States 79->160 process20 dnsIp21 144 109.206.241.33 AWMLTNL Germany 82->144 170 System process connects to network (likely due to code injection or exploit) 82->170 172 Tries to steal Instant Messenger accounts or passwords 82->172 174 Tries to harvest and steal ftp login credentials 82->174 176 Tries to harvest and steal browser information (history, passwords, etc) 82->176 102 tar.exe 82->102         started        signatures22 process23 process24 104 conhost.exe 102->104         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64f63c70e1facb137a1363aec04b2029a56f1552c721f9667156e7371adf8427/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 01:12:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mt3dy4hb7lfrg6qtmoxmaszafgsw6fksy4q7sztrk3ttogw7qqtq._file
Verdict:
unknown
Similar samples:
1470fd0a1b8a3eb0c9e9d4851c651b3acbc95f847bb2f56ee52239a0e62e4a0a
Smoke Loader
221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3
Smoke Loader
3848bff1afa877296131976752c59b7040956b11cbeb04c6188bdf825eb6761d
Smoke Loader
db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5
Smoke Loader
efb70c355d03b0b8c3e9d9aba6402ddc5a058734a2e101f7cd9d3971c8a7d2ae
Smoke Loader
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:fabookie family:glupteba family:smokeloader family:xmrig botnet:pub1 backdoor dropper evasion infostealer loader miner persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/231002-bkh6lsgd63/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Amadey
DcRat
Detect Fabookie payload
Fabookie
Glupteba
Glupteba payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://193.42.32.29/9bDc8sQ/index.php
http://host-file-host6.com/
http://host-host-file8.com/
http://app.nnnaajjjgc.com/check/safe
Unpacked files
SH256 hash:
35a56d57b7197af79d9aeace2f13de97b2cbebe18f7ef67056c2edd2f978922f
MD5 hash:
5cf34cb98ff840e6d13c57c47d3be18a
SHA1 hash:
7c9877fae8ca0d13b664c8ba16f974c2419c6545
Link:
https://www.unpac.me/results/22134df9-d1c9-4542-a319-4321d489c5b6/
SH256 hash:
64f63c70e1facb137a1363aec04b2029a56f1552c721f9667156e7371adf8427
MD5 hash:
4942011201ece4f7d3c83182a499a9f2
SHA1 hash:
3517d7c2b57cf2d53fb0880be593d1511323a60c
Link:
https://www.unpac.me/results/22134df9-d1c9-4542-a319-4321d489c5b6/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64f63c70e1fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/64f63c70e1facb137a1363aec04b2029a56f1552c721f9667156e7371adf8427

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2715393/
Cape
Cape
https://www.capesandbox.com/analysis/452549/
  
URLhaus
https://urlhaus.abuse.ch/url/2715110/

Comments